TLDR: If you’re running SFTP Gateway 3.5 or earlier, you need to upgrade. Amazon Linux 2 reaches end-of-life on June 30, 2026, and Postgres 13 is already unsupported. Beyond the OS deadlines, some critical security vulnerabilities (including CVE-2023-47174, a CVSS 9.8 remote code execution flaw) can only be patched by upgrading. The migration process involves exporting your config as a YAML backup, launching a new stack, and importing. Most customers complete it in a single maintenance window.
Here’s what to do if you’re running SFTP Gateway 3.5 or earlier
If you’re running SFTP Gateway 3.5 or earlier, there are some critical dates you need to be aware of:
- November 13, 2025: Postgres 13 reached end-of-life. If you’re running a High Availability deployment with an external Postgres database, you may already be on an unsupported version.
- June 30, 2026: Amazon Linux 2 reaches end-of-life, which means no further security patches from Amazon.
For organizations that depend on SFTP Gateway for secure file transfers, especially those in regulated industries, running on unsupported infrastructure isn’t just technical debt. It’s a compliance risk.
There’s another reason to upgrade that’s arguably more pressing: security vulnerabilities. Some critical CVEs can only be resolved by upgrading to the latest operating system. If you’re running an older version, you may be exposed to vulnerabilities that simply cannot be patched on your current platform.
The good news: recent SFTP Gateway releases have already migrated to supported versions, patched critical vulnerabilities, and delivered significant performance improvements. Here’s what you need to know.
The Deprecation Timeline
Different versions of SFTP Gateway are available for various operating systems, depending on your cloud platform. Here’s where things stand:
Amazon Web Services
Versions before 3.5.1 run on Amazon Linux 2, which reaches end-of-life on June 30, 2026. Version 3.5.1 and later run on Amazon Linux 2023.
Microsoft Azure and Google Cloud
Versions before 3.7.4 run on Ubuntu 22.04. While Ubuntu 22.04 standard support doesn’t end until April 2027, that’s not the whole story. Some CVEs can only be resolved on Ubuntu 24.04, meaning certain security patches are unavailable unless you upgrade. Version 3.7.4 and later run on Ubuntu 24.04.
High Availability Deployments with External PostgreSQL
Postgres 13 reached EOL on November 13, 2025. If you’re running HA with an external Postgres database on version 13, you’re already on an unsupported database. Recent SFTP Gateway versions support Postgres 16.
Security Vulnerabilities Patched in Recent Releases
Beyond the operating system updates, recent versions of SFTP Gateway include patches for several CVEs. Cloud marketplaces like AWS, Azure, and GCP actively monitor for these vulnerabilities and have been known to de-list or hide products that don’t address critical security issues. Here are some of the highlights:
CVE-2023-47174 (Critical, CVSS 9.8) A Java deserialization vulnerability that allowed unauthenticated remote code execution through the SFTP Gateway admin portal. This vulnerability was discovered by security researchers at Praetorian, who were specifically investigating file transfer solutions after the high-profile GoAnywhere and MoveIT breaches. Fixed in version 3.4.4.
CVE-2023-48795 (Terrapin Attack) A vulnerability in the SSH protocol that could allow attackers to downgrade connection security. Given that SSH is the foundation of SFTP, this one matters. Fixed in version 3.4.6.
CVE-2025-31650 (High Severity, CVSS 7.5) An input validation vulnerability in Apache Tomcat where malformed HTTP headers could cause a memory leak. In a sustained attack, this could trigger an OutOfMemoryException, causing the server to crash. This poses a denial-of-service risk for any organization relying on SFTP Gateway for critical file transfers.
CVE-2025-27553 (High Severity, CVSS 7.5) A path traversal vulnerability in Apache Commons VFS that could allow unauthorized file access through the FileObject API.
CVE-2025-30474 (Important) An information exposure vulnerability where error messages could inadvertently reveal sensitive data, including passwords embedded in URIs.
CVE-2025-31651 A rewrite rule bypass vulnerability in Apache Tomcat that could allow specially crafted requests to circumvent security constraints.
These vulnerabilities affect SFTP Gateway directly or its underlying components. Even if your deployment hasn’t been targeted, running unpatched software increases your attack surface and your audit risk.
Performance Improvements Worth Noting
Security and compliance aren’t the only reasons to upgrade. Recent releases also deliver meaningful performance gains:
Up to 3x faster transfer speeds Version 3.7.4 includes performance tuning that can significantly accelerate file transfers, particularly for high-volume workloads.
1 TB maximum file size Version 3.6.1 increased the maximum supported file size to 1 TB, with configurable multipart upload sizing for large file transfers.
Faster file listings Version 3.5.1 improved file listing performance, reducing wait times when browsing directories with many files.
New Features You Might Have Missed
If you’ve been on an older version for a while, here’s a quick rundown of capabilities that have been added:
- Single S3 event per upload Version 3.7.5 (coming soon) eliminates duplicate S3 events that plagued earlier versions. Previously, uploading a file triggered two events: one when the zero-byte placeholder was created, and another when the upload completed. If you’ve built workflows around S3 event notifications, you’re familiar with the frustration this can cause. Now you get a single, clean event per upload.
- Connect to Azure Files Access Azure Files directly from SFTP Gateway
- LDAP integration Authenticate users against your existing directory
- User expiration dates Automatically disable user accounts after a set date
- Health check API endpoint An endpoint that health checks can use for HA monitoring
- Password history enforcement Prevent users from reusing recent passwords
- RDS IAM authentication Use IAM for database authentication in AWS HA deployments
How to Check Your Version
Not sure which version of SFTP Gateway you’re running? The easiest way is to log in to the SFTP Gateway admin console and check the footer of the page.
You can also SSH into your instance and navigate to /opt/sftpgw/. The jar file in that directory includes the version number in its filename.
For AWS deployments, you can check the EC2 instance details, as the AMI name typically includes the version. For Azure and GCP, check the VM image name on the instance detail page.
If you’re on a version older than 3.5.1, it’s time to plan your upgrade.
Planning Your Upgrade
If you’re running a version older than 3.6.0 (which most customers on legacy versions are), there’s no in-place upgrade path. This is because older versions didn’t have user-based licensing, and upgrading requires moving to the new licensing model.
The good news is that the migration process is straightforward:
- Export your configuration From the Settings page, export a backup of your configuration as a YAML file.
- Launch a new stack Deploy the latest version of SFTP Gateway from the marketplace.
- Import your backup Import the YAML backup into the new stack to restore your users and settings.
- Validate Test the new deployment to ensure everything is working correctly.
- Cut over Schedule a DNS cutover to point to the new stack. If anything goes wrong, you can roll back by pointing DNS back to the old stack.
This migration-based approach is actually simpler than it sounds. It’s essentially a backup-and-recovery drill. Most customers complete it in a single maintenance window.
Want an expert on hand during your migration?
We get it. SFTP Gateway is often a critical dependency in your organization, and changes to file transfer infrastructure can feel risky. Our team offers professional services to guide you through the upgrade or handle it entirely for you. Think of it as having a lifeguard nearby while you’re learning to swim in the deep end. Schedule a call with our team, and we’ll walk you through your options.
The Bottom Line
Running SFTP Gateway on an end-of-life operating system isn’t just a technical concern. It’s a security and compliance liability. With Amazon Linux 2 EOL less than six months away, Postgres 13 already unsupported, and certain CVEs that can only be patched on newer operating systems, now is the time to plan your upgrade path.
The latest versions of SFTP Gateway run on supported platforms, include critical security patches, and deliver real performance improvements. Don’t wait until you’re explaining to an auditor why your file transfer infrastructure is running on unsupported software.
